Re: [PHP-DEV] CVS Account Request From: Zeev Suraski (zeev <email protected>)
Date: 11/15/00

At 00:24 16/11/2000, Rasmus Lerdorf wrote:
>Part of the reason the PHP project has been successful is precisely
>because the barrier of entry has always been nice and low. This applies
>both to the language itself and also to the development of the language.
>I can count on one hand the number of times we have had bad commits over
>the last 5 years.

Your hands must have changed a lot since I last saw you :)
There were dozens.

> By empowering people to contribute, you encourage
>contributions. I would rather have a badly written extension than no
>extension. Badly written extensions spur other people to pitch in and
>improve it and the feedback provided to the author helps the author
>improve.

It's a double edged sword. In general I agree with you, but since end
users have no way of knowing what is stable and what isn't, what's secure
and what isn't, there's a problem with this as well. Admittedly, I don't
have a good solution for this one.

>As far as a terrorist cvs committer goes. I think you are being overly
>paranoid. And I would challenge the statement that an unknown can sneak a
>harmful commit into PHP that is not caught by anybody. I read all commit
>messages. And I bet I am not the only one. Sure, I skip over some commit
>messages from known people in areas I know little about. But someone I
>don't recognize comitting any sort of code automatically triggers a full
>review for me.

So, did you find the buffer overflow bug in Onn's fribidi extension?
You know what they say, you're only paranoid until things actually
happen. I don't think I'm paranoid at all. If I was paranoid, I would
have actively worked towards this much more intensively. I think it's not
a good idea to keep things the way they are, regardless of whether or not
they worked in the past years. PHP today is a couple of orders of
magnitude bigger than what it was 3 years ago, and our CVS access routines
remained the same.

>Let's not raise the barrier of entry without cause. Show me viable cause
>and we can talk about specifics.

I think I made my point when I said we don't need to wait to be hacked
before we take measures to reduce the chances of this happening. Things
aren't too secure in this world as it is, I don't see a reason to make it
easier to screw us up.

>I do agree that Pear needs to be split away at some point when it is
>mature enough to split. And applying some ACL's to separate doc, web and
>src code probably makes sense as well. But let's not take this further
>and start changing something that has worked very well for many years.

Well, I'm quite happy with applying ACL's, assuming it does what I think it
does. I don't have any sentiments for the split CVS roots solution,
something that would give an equivalent state would be fine as well.

Zeev 

--
Zeev Suraski   <zeev <email protected>>
CTO, Zend Technologies Ltd.  http://www.zend.com/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>